Identity fails to refresh token leading to errors in the UI

[engineering-issue-sync-app[bot]]

Related issues

https://jira.camunda.com/browse/SUPPORT-21543 https://jira.camunda.com/browse/SUPPORT-22059

Issue

In Keycloak 23+ the issuer is validated when making a refresh_token request, this validation is based on dynamic hostname resolution in Keycloak itself. This prevents Identity from refreshing a token because the token retrieved by Identity contains an the public Keycloak URL as the issuer. When Identity tries to refresh the authentication token the request is made via the backend, this means that the hostname is dynamically resolved to the internal/container name, ultimately causes the issuers to not match and the request to fail.

There is a known limitation and issue in Keycloaks current approach regarding different request hosts (frontchannel/backchannel) https://github.com/keycloak/keycloak/issues/27660.

Possible remediation

I've investigated this issue and believe that the most reasonable resolution is:

• [ ] Update Identity to make the refresh token call to the public URL of the Keycloak instance (configuration.getIssuer())
• [ ] Update the camunda-platform-local repo to include a Core DNS rewrite

^{:robot: This issue is automatically synced from: source}

[engineering-issue-sync-app[bot]]

We should also consider the logout request. It seems that it also has the new check and fails

^{:robot: This comment from @dlavrenuek is automatically synced from: source}